Re: separate allowedips from routing for multipath
Thanks Reid, i'm aware of how that works, but that's not the question. V is an IP routed on A1 or A2, not a "road warrior" case. I can look into if port reuse is possible if a patchset doing that would be acceptable. On Sat, Dec 11, 2021 at 12:30 AM Reid Rankin wrote: > > WireGuard doesn't care what address V has, because peers are defined > by their public key. If V switches from A1 to A2, upon receiving a > handshake packet from V's key from the address A2, B will start > sending packets for V out to A2. Incoming packets can arrive from any > IP; if they're from a connection with V, V's AllowedIP rules will be > applied. -- +4916093821054
Re: Cannot add wg0 on CentOS 8
On 09/12/2021 10:47, Mehdi Haghgoo wrote: Hi, I'm trying to add a wireguard device on CentOS Stream (was Linux just converted to Stream). When I enter "ip link add wg0 type wireguard" or try it using wg-quick wg0 up, I get the following error: RTNETLINK answers: Operation not supported I have wireguard-tools and kmod-wireguard installed. Additional information: uname -r: 4.18.0-147.8.1.el8_1.x86_64 wg --version: wireguard-tools v1.0.20210914 - https://git.zx2c4.com/wireguard-tools/ kmod-wireguard version: 1.0.20211208 Best regards, Mehdi Is the wireguard module loaded? I doubt it. You are running a *very* old kernel, and I suspect the version of kmod-wireguard you are running does not support that kernel. Why are you running a kernel that is two years out of date and full of unpatched security holes? Updating your system is probably the first step to fixing your issue.
Re: separate allowedips from routing for multipath
WireGuard doesn't care what address V has, because peers are defined by their public key. If V switches from A1 to A2, upon receiving a handshake packet from V's key from the address A2, B will start sending packets for V out to A2. Incoming packets can arrive from any IP; if they're from a connection with V, V's AllowedIP rules will be applied.
separate allowedips from routing for multipath
Hey, i'm considering using wireguard for a system where there can be multiple routes to an ip. The nearest solution i can think of is constantly changing the peer AllowedIps from userspace and load a large list of routes into it. But the challenge is that this is used for both routing decisions AND policy decisions. let's say we have 3 machines A1, A2, B and a machine that moves around V V is currently connected via layer2 at A1, B has V in AllowedIps for peer A1, so that any packet for V is routed to A1 now we connect V to A2 instead we need to move the AllowedIps entry from A1 to A2 so that a packet for V is routed to A2 old packets still arriving FROM V through A1 are now dropped This wouldnt be an issue if AllowedIps could be separated from the routing decision somehow. I could have a wg interface per peer so i can do the routing using regular linux tools, but wg doesnt like reusing the same port for multiple wg endpoints. We'll eventually run out of ports. I suppose port reuse is intentionally not allowed? thanks Arvid
Cannot add wg0 on CentOS 8
Hi, I'm trying to add a wireguard device on CentOS Stream (was Linux just converted to Stream). When I enter "ip link add wg0 type wireguard" or try it using wg-quick wg0 up, I get the following error: RTNETLINK answers: Operation not supported I have wireguard-tools and kmod-wireguard installed. Additional information: uname -r: 4.18.0-147.8.1.el8_1.x86_64 wg --version: wireguard-tools v1.0.20210914 - https://git.zx2c4.com/wireguard-tools/ kmod-wireguard version: 1.0.20211208 Best regards, Mehdi
[RFC] wiregard RX packet processing.
I didn't understand everything, I just stumbled upon this while looking for something else and don't have the time to figure everything out. Also I might haven taken a wrong turn somewhere… need_resched() is something you want avoid unless you write core code. On a PREEMPT kernel you never observe true here and cond_resched() is a nop. On non-PREEMPT kernels need_resched() can return true/ false _and_ should_resched() (which is part of cond_resched()) returns only true if the same bit is true. This means invoking only cond_resched() saves one read access. Bonus points: On x86 that bit is folded into the preemption counter so you avoid reading that bit entirely plus the whole thing is optimized away on a PREEMPT kernel. wg_queue_enqueue_per_peer_rx() enqueues somehow skb for NAPI processing (this bit I haven't figured out yet but it has to) and then invokes napi_schedule(). This napi_schedule() wasn't meant to be invoked from preemptible context, only from an actual IRQ handler: - if NAPI is already active (which can only happen if it is running on a remote CPU) then nothing happens. Good. - if NAPI is idle then __napi_schedule() will "schedule" it. Here is the thing: You are in process context (kworker) so nothing happens right away: NET_RX_SOFTIRQ is set for the local CPU and NAPI struct is added to the list. Now you need to wait until a random interrupt appears which will notice that a softirq bit is set and will process it. So it will happen eventually… I would suggest to either: - add a comment that this is know and it doesn't not matter because $REASON. I would imagine you might want to batch multiple skbs but… - add a BH disable section around wg_queue_enqueue_per_peer_rx() (see below). That bh-enable() will invoke pending softirqs which in your case should invoke wg_packet_rx_poll() where you see only one skb. diff --git a/drivers/net/wireguard/receive.c b/drivers/net/wireguard/receive.c index 7b8df406c7737..64e4ca1ded108 100644 --- a/drivers/net/wireguard/receive.c +++ b/drivers/net/wireguard/receive.c @@ -507,9 +507,11 @@ void wg_packet_decrypt_worker(struct work_struct *work) enum packet_state state = likely(decrypt_packet(skb, PACKET_CB(skb)->keypair)) ? PACKET_STATE_CRYPTED : PACKET_STATE_DEAD; + local_bh_disable(); wg_queue_enqueue_per_peer_rx(skb, state); - if (need_resched()) - cond_resched(); + local_bh_enable(); + + cond_resched(); } } Sebastian
Re: [PATCH 0/2] wireguard-linux-compat: grsecurity compat patches
CC'ing in Aymeric, who's working on Vale's codegen. On Thu, Dec 9, 2021 at 8:59 AM Mathias Krause wrote: > > Am 08.12.21 um 15:56 schrieb Jason A. Donenfeld: > > On Mon, Dec 6, 2021 at 10:00 PM Mathias Krause > > wrote: > >> Yes, probably, but you're mixing up the two. > > > > Oh, thanks, right. > > > > I'll talk to EverCrypt upstream and see. > > FWIW, 'out' is also wrongly flagged as output operand in fmul() and > fmul2(). But making it an input operand needs more surgery, as the > operand order changes and this requires some code churn. > > Mathias
Re: [PATCH 0/2] wireguard-linux-compat: grsecurity compat patches
CC'ing in Aymeric, who's working on Vale's codegen. On Thu, Dec 9, 2021 at 8:59 AM Mathias Krause wrote: > > Am 08.12.21 um 15:56 schrieb Jason A. Donenfeld: > > On Mon, Dec 6, 2021 at 10:00 PM Mathias Krause > > wrote: > >> Yes, probably, but you're mixing up the two. > > > > Oh, thanks, right. > > > > I'll talk to EverCrypt upstream and see. > > FWIW, 'out' is also wrongly flagged as output operand in fmul() and > fmul2(). But making it an input operand needs more surgery, as the > operand order changes and this requires some code churn. > > Mathias